Vulnerability Disclosure in Aviation

Odds are that you caught the recent news coverage of an incident involving Chris Roberts, a security researcher, being pulled off a flight for a tweet posted in humor about possible vulnerabilities on the plane.

A recent event may have slipped under your radar, however. The publication of a Government Accountability Office (GAO) Report titled “FAA Needs a More Comprehensive Approach to Address Cyber Security as Agency Transitions to NextGen.”

Put together the tweeting incident on-board a plane, the GAO report and recent security research by modern IT into the vulnerabilities of in-flight systems, it’s readily apparent that we are seeing a changing thread landscape for aviation.

Basically, when we bring modern IT into an industry where technology has been fostered in a traditionally closed environment contained to a small group of people, a previously controlled culture is being thrust out in the open and is forced to deal with basic security issues that more open systems have been dealing with for years.  Energy, utilities, automotive and any industry where operation technology is being unified or entirely replaced with more IT components, joins Aviation in experiencing this conflict in change.

The debate with vulnerability disclosure.

This change has led to fractions among experts. Traditional engineering industry professionals believe that any information published about how systems can be exploited, increases the risk of these systems being exploited. In contrast, security researchers debate that vulnerability disclosure in a responsible manner creates positive pressure on vendors and industry to address these issues more effectively.

Industries with a stake in life-and-death situations are of course, sensitive to the issue of vulnerability disclosure. Flight safety takes precedence over information security, and for good reason. However, as more and more threats turn into attacks affecting high-profile organizations, information security is gaining in visibility.

Despite the gradual change with the acceptance that cyber-attacks can have real-world consequences, security researchers are concerned that any demonstration of theoretical attacks on aircraft systems, which include scenarios such as accessing some flight control systems via the in-flight entertainment system, will have regulators and airlines respond aggressively and negatively with an intent to suppress the information. Researchers fear that acknowledging the concerns and developing plans to fix it are scrapped, even with responsible vulnerability disclosure.

An example of old industry notions and new ideals is the recent introduction of WiFi on planes, which many experts believe makes it easier for attackers to hack airplanes. While in-flight WiFi goes a long way in appeasing customers, the introduction means planes may be more open to having their inflight computer systems hacked through a readily available on-board network. The GAO report quotes: “[m]odern aircraft are increasingly connected to the Internet. This interconnectedness can potentially provide unauthorized remote access to aircraft avionics systems.”

The same GAO report brings into debate the FAA’s strategy for cyber security around NextGen, the satellite-based successor to today’s radar-based air traffic control system. This is further evidence of newer technology beCuling moved into replace an older one in a field where-in only a limited of people are familiar with the tech. Quite simply, radar expertise is limited to a relative few while millions of people are familiar with GPS systems on a daily basis. This readily changes the threat landscape for air traffic control. Even more-so with established reports of drones being hacked by rogue GPS signals.

How industry decides to co-ordinate with security experts and the boldness of vulnerability disclosure will go a long way in ensuring the friendly and safe the skies we fly in, remain that way.